On the 2 February 2022 the United Kingdom published the International Data Transfer Agreement (IDTA) and International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for International Data Transfers (Addendum) under Section 119A of the Data Protection Act 2018. Following Parliamentary approval both the IDTA and the Addendum came into force on 21 March 2022.
This means they are now available for use by UK companies for conducting so called restricted transfers to unsafe third countries. Essentially, the IDTA and the Addendum allow UK companies to transfer personal data in a data protection compliant way to third countries which do not have adequacy regulations.
In practice the most important transfers are transfers to the United States (US) which currently neither has an adequacy regulation from the Secretary of State, nor an adequacy decision from the European Commission.
What is a restricted transfer?
Following Brexit, data protection in the UK is governed by the UK General Data Protection Regulation (UK GDPR), which sets forth three conditions for a restricted transfer:
- the UK GDPR applies to the data that is to be transferred (usually due to the fact that the company processing the data is located in the UK),
- the company is sending personal data, or making it available, to a recipient to which the UK GDPR does not apply, e.g. as it is not located in the UK, and
- the recipient obtaining the data is a separate organisation.
In case of a restricted transfer (which in the European Union would be called a third country transfer), the exporting company has to ensure there is an appropriate safeguard for the transfer in place. These safeguards aim at ensuring that after the transfer, personal data is afforded a level of protection essentially equivalent to that guaranteed in the UK.
For some countries, such as all EU Member States, Switzerland and Japan, UK companies can rely on adequacy regulations issued or approved by the UK data protection regulator, the Information Commissioner’s Office (ICO). In such cases, companies do not have to undertake any additional steps to ensure compliance of the transfer with data protection laws.
However, for the vast majority of third countries other safeguards are necessary. In particular, companies can ensure an appropriate level of data protection by executing a legally binding agreement with the data recipient.
Why were new transfer mechanisms adopted in the UK?
Thus far, the ICO has not yet adopted any mechanisms for restricted transfers under the UK GDPR. Rather, UK companies are still using the old EU Standard Contractual Clauses (legacy SCCs), which were adopted by the European Commission in the 1990s and were valid at the time of Brexit.
In 2021, the ICO already announced it would publish its own set of agreements for restricted transfers. After public consultation, these documents were laid before the UK Parliament last year. As the Parliament did not raise objections to the documents, UK companies have been able to choose from the 21 March 2022 between the following two agreements for restricted transfers:
- International Data Transfer Agreement (IDTA) and
- International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for International Data Transfers (Addendum).
Both documents take into account the judgment of the Court of Justice of the European Union in Schrems II, which remains valid in the UK as part of the retained EU law.
International Data Transfer Agreement
Like the SCCs under the GDPR, the IDTA (available as PDF) is a standalone agreement that shall ensure appropriate protection of personal data in a third country. It covers all processing situations (transfers from a controller or a processor to a controller or a processor) and is content-wise relatively similar to the new EU SCCs. However, unlike the new EU SCCs, the IDTA does not incorporate a data processing agreement, meaning that for transfers to a processor, companies will still have to conclude a separate data processing agreement.
The IDTA is comprised of four parts:
- In Part 1, the parties to the IDTA have to complete the tables with details of the transfer. Among other information, they have to provide information on the companies involved, transfer details and security requirements (technical and organisational measures). Notably, parties also have to indicate how often they will review the security requirements.
- In Part 2, the parties can establish so-called extra protection clauses, which can be of technical, organisational or contractual nature. Given that before a transfer the exporter has to conduct a transfer risk assessment assessing the risks to the data following a restricted transfer, these clauses could provide for additional protection (supplemental measures) in case risks are identified during the transfer risk assessment.
- In Part 3, the parties may stipulate commercial clauses pertaining to the restricted transfer.
- Part 4 (mandatory clauses) is by far the longest one. It provides for rules on various topics ranging from the interpretation of the clauses to the required actions in case of a data breach. Part 4 may not be modified by the parties.
To reduce the administrative burden to the benefit of UK companies, Part 4 of the IDTA sets forth that should the ICO adopt an updated version of the IDTA, the IDTA executed between the parties will automatically be amended accordingly, without the parties having to take action.
Unlike the IDTA, the Addendum (available as PDF) is not a standalone agreement but rather a complement to the new EU SCCs. In particular, it will benefit companies transferring data from both the EU and the UK, as it eliminates the need to conclude two full separate agreements (the EU SCCs and the IDTA). Rather, by concluding the Addendum, data transfers from the UK will be governed by the EU SCCs referenced therein.
In such cases, the additional burden for the companies will be very limited: Besides detailing the information on the parties to the Addendum, the companies merely need to indicate which modules and clauses of the EU SCCs will apply and where the Annexes to the SCCs may be found.
Transition Period from the EU SCCs to the IDTA and Addendum
We are currently in the transition period which has been allowed for UK companies to change the contractual basis on which they transfer personal data from the UK to unsafe third countries. Most UK companies will currently be relying on the European Union Standard Contractual Clauses (EU SCC) from 2001 and 2010 to transfer data. However, they may only do until the 20 March 2024.
By the 21 March 2024 all UK companies must have updated all their contracts for the transfer of personal data to rely on either the Addendum or the IDTA. While a year may sound like sufficient time the renegotiation, updating and finalisation of all your contracts will require an immense investment of resources, expertise and time.
A failure to update just one contract by the 21 March 2024 and the continued transfer of personal data to an unsafe third country thereunder using the expired EU SCCs will be a breach of data protection law punishable with administrative fines up to £17,500,000, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher and liability under Art. 82 of the UK GDPR.
It is therefore well worth consulting an expert before running the risk of a fine.
When can you continue to use the EU SCCs from 2001 and 2010
As stated above companies are allowed to rely on the EU SCCs from 2001 and 2010 until 20 March 2024. However, this is tied to certain conditions:
- The companies must have entered into these EU SCCs for their transfer before the 21 September 2022. Under the transition period for the IDTA and the Addendum it was agreed that the new conclusion of the EU SCCs after the 21 September 2022 was not permitted. Any new contracts after the 21 September 2022 must already be based on the IDTA or the Addendum.
- Companies who correctly entered into the EU SCCs before the 21 September 2022 may continue to rely on these only if the, “processing operations that are the subject matter of the contract remain unchanged and reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards”. This means UK companies using the EU SCCs until 21 March 2024 unfortunately cannot remain idle till then either.
What to do when continuing with the EU SCCs from 2001 and 2010
Companies planning on continuing to rely on the EU SCCS while planning their transition or transitioning to the IDTA and Addendum must ensure that the above mentioned conditions are fulfilled.
The first will be easier to verify: Check the date the last party signed the contract and ensure it is before the 21 September 2022. If it is not you must use the IDTA and the Addendum.
The second condition may be more difficult to monitor. Parties must be constantly cognizant of the relevant processing activities covered by their use of the EU SCCs and be aware of any changes to the processing activities. For example, if more personal data is suddenly transferred than previously covered by the EU SCCs this a change to the relevant processing activities and the transfer can no longer take place in a data protection compliant manner using the existing contract. An update to the IDTA and Addendum is required.
Companies must also ensure that reliance on the EU SCCs will ensure the transfer is subject to appropriate safeguards. This essentially requires the parties to continually review, and if necessary update, the technical and organisational measures agreed under the EU SCCs to ensure the personal data is adequately protected.
Again, a constant monitoring is required to ensure that the level of data security is maintained.
How to use the IDTA and the Addendum
The Information Commissioner´s Office (ICO) unfortunately has not yet published it´s promised “Clause by clause guidance to the IDTA and Addendum” or it’s “Guidance on how to use the IDTA”. We will continue to keep an eye out for these. For now the texts of the IDTA and Addendum are the only guides available. In terms of amendments for example they provide the following:
From the text of the IDTA itself it is clear though that the text of the clauses which require no input from the parties themselves, i.e. Part 4 the Mandatory Clauses, may not be changed, except for the following:
- For cross-referencing purposes or formatting changes;
- To delete non-applicable clauses. Yet the IDTA provides for the continued application of removed clauses if they have been removed incorrectly, including because a wrong selection is made. Thus, even deleted clauses may still bind parties;
- To nominate a lead Party if the IDTA operates as a multi-party agreement; or
- To update the IDTA to set out in writing any changes made to it by the ICO from time to time. Regardless of whether parties update their IDTA the changes the ICO makes to the approved IDTA will apply.
The Addendum provides that the parties may agree to amend the Addendum only to change the applicable law to refer to the laws and/or courts of Scotland or Northern Ireland, change the format by agreeing to the change in writing, or to update their Addendum to set out in writing any changes made to approved Addendum template by the ICO from time to time. Regardless of whether parties update their Addendum the changes the ICO makes to the approved Addendum will apply.
If one can draw parallels to the use of the new EU SCCs from 2021 for which the EU Commission has published an FAQ, then the IDTA and the Addendum may become a part of a broader commercial contract, e.g. as an annex to the Master Services Agreement, as long as the other contractual provisions do not contradict the IDTA or Addendum, either directly or indirectly, or prejudice the rights of data subjects. The EU Commission provides the following example:
“where the SCCs require the parties to inform each other or cooperate, the parties may agree on additional clauses that lay down how the communication/cooperation between the parties will take place in practice”.
A lot of work is ahead for UK companies in order for them to remain compliant with data protection regulations regarding restricted transfers or to achieve such compliance. While the Addendum and the IDTA are welcome additions from the ICO as they are tailored for the UK regulatory landscape instead of being inherited from the EU they are not implemented with minimal effort unfortunately.
Companies aiming to make the transition smoothly and with the least risk of a fine should seek the experience, knowledge and support of professionals who deal with this matter daily.